Block (nullroute?) an IPv6 hostname using /etc/hosts

I'm trying to prevent my web browser from communicating with certain hosts (mostly ads and tracking). I have a list of such hosts in my /etc/hosts file.

For IPv4 I can do:

255.255.255.255 example.com

How can I do that with IPv6? The following two do not seem to work:

::1     example.com
ff02::2 example.com

This is for dnsmasq on a Debian machine. Please assist

UPD Please also advise what's an easy way to check the results - something similar to nslookup on Windows. Tried dig -6 example.com but it hangs and then throws an error.

# dig example.com -6

; <<>> DiG <<>> example.com -6
;; global options: +cmd
;; connection timed out; no servers could be reached

aexl

Posted 2014-10-16T17:28:14.267

Reputation: 145

Exactly what are you actually trying to accomplish? – Michael Hampton – 2014-10-16T17:32:23.747

@MichaelHampton I'm trying to prevent my web browser from communicating with certain hosts. – aexl – 2014-10-16T17:33:16.820

Why bother with IPv6 specifically? If your browser is using names to look up the hosts, then it doesn't care whether it gets an IPv4 or IPv6 address back. If it's already doing IPv6 then it's already found an address and nothing you can put in /etc/hosts will change that. – wurtel – 2014-10-17T10:11:14.873

wow@wurtel. You really missed the point of an ad-blocking hosts file! – hopeseekr – 2016-06-25T12:02:06.910

Answers

To override both IPv6 and IPv4 name lookups, you need both in /etc/hosts. I just tried using ::1 example.com in /etc/hosts and it did work as expected.

You may have ping6 and traceroute6 variants installed -- you should use those for testing. ping and traceroute tend to be IPv4-only, though the Windows version of ping does have a -6 parameter for IPv6 mode.

user567965

Posted 2014-10-16T17:28:14.267

Reputation:

Thank you for your answer. The line that worked for me back then is ff02::2 example.com – aexl – 2016-03-08T10:44:59.567

There is nothing extra you need to do.

If you in the past blocked hostname example.com by assigning it IP 255.255.255.255, it will continue to work - you will never go to right IP address for that host: it doesn't matter if real (working) IP address for that hostname (before you destroyed it) was IPv4 or IPv6 (or wasn't existing).

note that you cannot use dig, host, nslookup etc. to check such DNS blackhole - they will all connect directly to DNS servers, bypassing /etc/hosts.

you can check with:

ping example.com

or opening browser to http://example.com/, etc. if you used 255.255.255.255 it should not work (note that ping will work if you used 127.0.0.1, but that is because you would be pinging your own computer, which most certainly does not run ad server - you can see that if you used web browser).

So, to summarize: you do not need to do ANYTHING extra for IPv6 to continue such blocking practice.

Matija Nalis

Posted 2014-10-16T17:28:14.267

Reputation: 2 107

Most browsers look for IPv6 first, and if it resolves, use it and never look up IPv4 addresses. So no. You're wrong. – hopeseekr – 2016-06-25T12:03:04.693

@hopeseekr But I am correct. I've actually tried it, have you? When you add 255.255.255.255 google.com in /etc/hosts on machine running dualstack IPv4+IPv6 on Debian Wheezy, trying to open google.com in Firefox, Chromium, Elinks, Wget etc. will return an error instead of opening it. That is because with default Debian nsswitch.conf(5), DNS won't be consulted at all if entry is matched in hosts(5). Also, note that modern browsers will lookup IPv4 even if IPv6 is present, as they use RFC6555 (see https://en.wikipedia.org/wiki/Happy_Eyeballs)

– Matija Nalis – 2016-07-01T11:08:49.260